What is a Security Operations Center (SOC)?

A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.

The function of a security operations team and, frequently, of a security operations center (SOC), is to monitor, detect, investigate, and respond to cyberthreats around the clock. Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. As the implementation component of an organization's overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.

A SOC acts like the hub or central command post, taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.

SOCs have been typically built around a hub-and-spoke architecture, where a security information and event management (SIEM) system aggregates and correlates data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).

Optimizing a security operations model

While dealing with incidents monopolizes much of the SOC's resources, the chief information security officer (CISO) is responsible for the larger picture of risk and compliance. To bridge operational and data silos across these functions, an effective strategy requires an adaptive security architecture that enables organizations to enact optimized security operations. This approach increases efficiency through integration, automation, and orchestration, and reduces the amount of labor hours required while improving your information security management posture.

An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into day-to-day processes. SOC tools like centralized and actionable dashboards help integrate threat data into security monitoring dashboards and reports to keep operations and management apprised of evolving events and activities. By linking threat management with other systems for managing risk and compliance, SOC teams can better manage overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency into security operations. Centralized functions reduce the burden of manual data sharing, auditing, and reporting throughout.

Operationalizing threat management should start with a thoughtful assessment. In addition to defenses, an organization should evaluate processes and policies. Where is the organization strong? What are the gaps? What is the risk posture? What data is collected, and how much of that data is used?

While every organization is different, certain core capabilities and security operations best practices represent due care today. A reasonable threat management process starts with a plan, and includes discovery (including baseline calculation to promote anomaly detection, normalization, and correlation), triage (based on risk and asset value), analysis (including contextualization), and scoping (including iterative investigation). Threat management processes feed prioritized and characterized cases into incident response programs. A well-defined response plan is absolutely key to containing a threat or minimizing the damage from a data breach.

Figure 1. Threat management plans integrate and structure many processes across security and IT operations.

Effective visibility and threat management will draw on many data sources, but it can be hard to sort out the useful and timely information. The most valuable data has proven to be event data produced by countermeasures and IT assets, indicators of compromise (IoCs) produced internally (via malware analysis) and externally (via threat intelligence feeds), and system data available from sensors (e.g., host, network, database, etc.).

Data sources like these are not just an input to threat management. They add context and make the information valuable and actionable for more precise, accurate, and speedy assessment throughout the iterative and interactive threat management effort. Access to, and effective use of, the right data to support plans and procedures is a measure of organizational maturity. A "mature" scenario would include a workflow that hands off the right information or permits direct action within operational consoles and across products. This flow integrates IT operations and security teams and tools into incident response when there is a critical event.

All these assessments will help prioritize where an increase in investment or reduction of friction is needed to make threat management implementation match goals. Consultants and penetration tests can help benchmark strategy and organizational maturity and health check security response against attacks to obtain a current measure of an organization’s ability to detect and contain malicious events. By comparing against peer enterprises, this vetted review can help justify and explain the need to redirect or invest in cybersecurity operations resources.